Regulators are increasingly using technology to improve regulatory oversight and modernise regulation. They are also using their influence to collaborate, convene and commission, so what is on the horizon for regulation and regulators born in the digital age?
Regulation is one of those things that is easy to understand. But is hard to operationalise for both regulators and the regulated. On the surface, it looks simple. Regulation protects consumers. It protects and enhances the integrity of the financial system. And it promotes competition. This is eminently sensible.
Regulators work to prevent harm and help to put things right when they go wrong. They enhance trust in markets, improve how they operate and try to deliver benefits through a common approach with their peers. Again, this is eminently sensible.
But when theory is translated into practice. When the regulatory rubber hits the road, things begin to go awry. This is partly around the amount of regulation. Yet partly also around the time and cost of compliance or non-compliance.
Around 200 regulatory revisions are published daily worldwide. More than a third of firms spend at least a whole day every week tracking and analysing regulatory change, according to a 2016 Thomson Reuters survey.
As to the costs, firms spend around $80 billion globally on governance, risk and compliance each year. This is set to reach $120 billion in the next five years, according to FinTech research firm Let’s Talk Payments.
Meanwhile fines for non-compliance have exceeded $320 billion since 2008, according to Deloitte. The costs to society of money laundering are $800 billion to $1.2 trillion annually. Or two to five percent of global GDP, according to the United Nations Office on Drugs and Crime. Is the regulation working? Or is it time for a regulatory reset?
THE TECH IN REGTECH
Cheap technology, abundant data and the growth in compliance requirements are all driving RegTech, according to Nick Cook, head of RegTech and advanced analytics at the UK Financial Conduct Authority (FCA). Speaking at an event in London in March, Cook listed three main uses of RegTech.
Firstly, technology used by firms to help them comply with regulations. Secondly, technology used by regulators to improve regulatory oversight and modernise regulation. This is sometimes known as supervisory tech, or SupTech for short. And thirdly, technology used by regulators to re-engineer and reform regulatory systems. This captures the FinTech Zeitgeist. Technology can automate existing processes, but also open up entirely new ways of working. So, how will the regulator of the future go about doing their job?
“It’s about how the regulator collects, accesses and analyses the vast swathes of data that are now available within the financial system,” said Martin Etheridge, head of the division responsible for FinTech at the Bank of England, speaking at the Innovate Finance Global Summit in London in March.
His fellow panelist from the Australian Securities and Investments Commission (ASIC) agreed, particularly with regard to the data-rich financial markets space. “We are the financial market conduct regulator and also the corporate registrar, which means that we get access to quite a lot of corporate information, which other regulators may not,” said Mark Adams, senior executive leader, strategic intelligence, ASIC.
Regulators have increasingly developed data strategies and employ chief data officers. As to their use of data, ASIC applies real-time supervisory technologies for alerts, post-trade analytics, making use of open source technology and data scientists. It also uses enforcement analytics and data visualisation tools.
But Adams highlighted that it was digitisation as much as data that could help improve regulatory oversight. For example, financial advice is not currently very digitised, with implications for both conduct and consistency. What would it mean for both regulators and firms in the way they conducted their business if financial advice was more digitised?
GHOST IN THE MACHINE
Meanwhile the FCA is exploring how it could digitise the regulatory process itself. It issued a call for input in February on machine-executable regulation. Cook explained the background: “When we first started thinking about RegTech, most of the technologies were automation plays. Taking the existing way of doing something and using technology to do the same task but in a slightly more efficient manner.”
“As we started to engage with the industry, something that came through loud and clear was an opportunity. If you had the technology, data assets and intellectual capital when you were creating a regulatory regime or process, would you do things completely differently?”
Financial institutions and FinTechs suggested specifying regulatory requirements in a form, fully readable and executable by computers. This would not require human interpretation. Or the significant cost or effort required to navigate and interpret the requirements.
In November 2017, the FCA convened a group of 40-50 entities for two weeks. They examined the question of whether the technology existed to write a legal requirement in a form fully understandable by a machine. And whether this could be directly implemented into machine code without human interpretation or effort.
“Broadly, we found that the technology did exist. With the pace of change, we feel confident that in the next year or two: absolutely,” said Cook. The FCA is now in a phase of broader dialogue with the industry about the business case, the pros and cons and roles of the regulator and the regulated. The trust equation and internal capabilities for adoption are also being considered as part of a call for input ending 20 June 2018.
“All of these new technologies require us to modernise our capabilities — and this is no exception. We think that the benefits could be very substantial. There’s a great opportunity to improve quality and reduce cost,” said Cook.
FOR THE BENEFIT OF ALL
But how far should regulators go in bringing about regulatory utilities? Some of the largest regulatory costs borne by the industry are around know your customer (KYC). The average spend by financial institutions to on-board new clients was $40 million in 2017. This rose to $124 million for larger institutions with a turnover of $10 billion or more, according to a 2017 Thomson Reuters report.
“If we can find industry-based solutions, endorsed by regulators, I think that would be perfect for the industry,” said Richard Teng, CEO, Financial Services Regulatory Authority (FSRA), Abu Dhabi Global Market (ADGM).
ADGM recently ran a proof of concept on a KYC project with some of the largest institutions in Abu Dhabi. The objective was to try to find solutions that could be shared, enabling customers to be on-boarded once and this data to be shared among other financial institutions.
“We are working on some of those efforts together with the industry. You do need the regulator involved, because if it is an industry-based solution without the regulator endorsing what is needed to gain trust and credibility and meet the standard, that would have fallen short,” said Teng.
However it is a challenge for regulators to decide where industry utilities make sense, how they are involved and what they endorse. “We supervise 56,000 firms and what fits well for some of the large market participants is not going to be the right kind of solution for some of the smaller players,” said Cook from the FCA.
“Our competition mandate gives us the mandate to focus on and encourage innovation, but it also means that we have to be very careful about distortionary effects on the markets, were we to endorse a utility,” he said.
Cook described the three-fold role of the regulator. First, an engaged participant entering into dialogue with the industry and feeding in its perspective, which has not historically been easy for regulators. Second, a catalytic convener, bringing industry participants together. Third, an evangelist or role model, bringing other
The fourth role of a certifier or approver is not one the FCA currently plays. It would require a skills uplift internally, exposes the organisation to potential liability risks as well as being contrary to its competition mandate.
THE REGULATORY PERIMETER
The use and impact of technology and greater data will affect what as much as how the regulator regulates. This means the regulatory perimeter, or scope of activities that must be authorised, will be increasingly under review.
For example, the Bank of England has adjusted its regulatory perimeter to encompass systemically important payment systems. The Bank has already committed to facilitating access to its core RTGS settlement infrastructure for payment service providers. “Alongside that, it is not just interbank payment systems that are within the scope of regulation. Those that are not [interbank systems]have the same degree of oversight, recognising that they have the potential to become systemically important,”
For the regulated, the challenge is sometimes not only the amount and scope of regulation, but the amount of regulators. “FinTech innovators do face challenges, because to them the regulations seem fragmented — siloed,” said Teng from ADGM. “So, who is really responsible for embracing and supporting innovation, for managing some of the risk coming from these innovations? If we had a blank slate now, is this how we would draw up the regulatory framework? I would say, possibly not,” continued Teng.
“By having multiple regulators, there will be inconsistencies in terms of approaches and treatment. But also gaps with fast-moving innovations and new business models coming through,”he said. It is quite difficult to coordinate closely [between regulators]to support innovation but also manage risk. “Over time I think that you would see some consolidation in the regulatory space to better support innovation. The speed of innovation is actually putting some stress on that front,” said Teng.
However the contra argument to that is specialism. “It does feel like it’s right that it is separate organisations with different remits bringing their particular expertise and focus to these questions,” said Etheridge from the Bank of England. “I’m not sure that I necessarily agree that the only answer is to have a single body that has all the responsibilities for everything. You do tend to lose a degree of specificity and specialisation with regard to that expertise,” continued Etheridge.
“If you had the technology,data assets and intellectual capital when you were creating a regulatory regime or process, would you do things completely differently?”
Nick Cook, FCA
It is no surprise that regulation and regulators born in the digital age will be more data-driven, digital and real-time. This could mean better, faster and cheaper regulation with no trade-offs. Regulators could move from reacting to problems to predicting them. Instead of waiting for risks to crystallise, initiating enforcement action and sending firms to rehab. They could pre-empt possible problems and proactively work with firms to fix them in a type of prehab approach.
Instead of playing catch-up with long lead times for new regulation, for example around crypto-assets. They could introduce new regulation and sunset old regulation quicker, giving better regulatory certainty. This will involve collaborating more closely across the industries they regulate, and with their peers across borders. It will involve keeping their role and regulatory perimeter under constant review.
“You talk to any regulator at the moment and their mode of operation is reactionary, whereas at least a portion of what they do could be digitised, especially in KYC operations,”
Simon Wilkinson, Tradle
Regulators don’t have it easy. Their difficulties are many and various. Take the requirement to look to the future, knowing only the past. Add a dash of scope-creep and limited resource. Fold through a heaped serving of technology, its use and impact. But in truth these challenges are not unique to regulators. Every financial services firm must grapple with them. Regulation is not easy for anyone, even for regulators.
A VIEW FROM THE SANDBOX
One of the ways that regulators are using their influence to collaborate and convene is with regulatory sandboxes. The FCA has been running a sandbox since 2016 and other regulators have since followed suit. Firms can test innovative products, services and business models in a live market environment. They may receive restricted authorisations, rule waivers or no enforcement action letters to test with the appropriate safeguards.
Of the 69 applicants, Tradle was one of the 24 accepted into the first cohort of the FCA sandbox. Tradle puts personal and commercial identities and verifiable documents on a Blockchain. It tested a system for automated customer authentication with insurance company Aviva.
“In our case, because we were going in with a partner, we had a double challenge. The first was to prove to the FCA that we were a safe pair of hands to be allowed to interface with customers. But then we had an even bigger challenge of convincing Aviva, a regulated firm, that we were an extremely safe pair of hands, not only to interact with their customers but protect their data,” said Simon Wilkinson, operations director, Tradle.
The FCA and Aviva were interested in what Tradle was doing around digital identity and the appetite of the older generation to use mobile and web technology for on-boarding, explained Wilkinson. This would be one of his main pieces of advice to firms considering participation in a regulatory sandbox. There needs to be a really good USP, namely a real advancement for the industry, consumers or the regulators.
Clearly articulating these benefits to all parties also helps the regulator with internal sell-in to their board. Wilkinson also recommends that firms are technically well-prepared before they venture into a sandbox. The FCA sandbox operates on a cohort basis with two six-month test periods per year. Being technically well-prepared during this time leaves longer for live testing.
Wilkinson summarises the sandbox experience as a very time-consuming commitment yet a golden opportunity for a FinTech. “Even if a firm thinks it is well advanced with banking relationships and ongoing revenue, it is a good testing ground,” he said. It is also validation of a business’ governance — and that it is considered worthy of the regulator’s time and effort.